Security and interop issues cause EU biometric passport delays

The European Union has asked the US to put back its biometric passport deadline for another year, citing "data security and interoperability of reading devices" as issues that still needed to be resolved. Meanwhile, data security is becoming a major issue in the run up to the planned rollout of US biometric passports later this year. The current deadline, after which the US will require biometric passports for non-visa travellers, is 26th October 2005, but EU Justice and Home Affairs Commissioner Franco Frattini has asked for this to be put back to August 28th 2006.

The most serious of the problems Frattini describes with some understatement as "still being finalised" relates to the planned use of a contactless chip to house the passport's data, and the security mechanisms used to protect that data from unauthorised readers. Contactless means (at least in theory) that travellers can breeze through the barriers with a wave of their passport, thus speeding their progress towards whatever destination immigration officials choose to assign them. But contactless also means that the data is vulnerable to snooping, and it should not take too much effort for would-be snoopers to produce devices that will read the passport data from a greater distance than the designers would wish.

Much US opposition to the technology complains, with characteristic insularity, that such systems would allow terrorists to identify Americans abroad and kidnap them. For our non-US readers, however, we should stress that such systems would allow terrorists to identify anybody and kidnap them. Or steal their ID. Or even better from the point of view of automation-happy kleptos, locate and steal their passports.

So some form of security that will stop them doing this is necessary, but it's difficult to see how it could be devised, and the US itself seems to be tacitly admitting that it can't. The US is adding "technical features" to protect the data, but according to Frank Moss of the State Department these will play a role in "mitigating the risk of skimming." If he could have said eliminating, we feel sure he would have, but he said "mitigating".

Frattini's second issue of "interoperability of reading devices" rears its head here. Obviously, if you're going to have a global standard for contactless biometric passports, then all of the relevant people in all of the countries issuing them are going to need to be able to read of the passports. So what price your security? Even if you can persuade yourself your own people aren't going to be a source of leakage of either readers or technical data, are you seriously going to trust everybody out there?

One feels perhaps that there was a joined up thinking failure in the development of the cunning biometric passport plan. The data printed in the current generation of passports is completely open, unsecured, and available to any terrorist or official of an axis of evil member state who cares to open it and look. The International Civil Aviation Organisation (ICAO) standard for biometric passports is intended to provide a machine-readable equivalent of this, so logically it should be just as available. The error would therefore seem to arise from thinking making it available from a distance was a bright idea.

Faced with these difficulties, giving passports their very own 'tinfoil hats' so that they're only readable when taken out of their sleeves seems the most obvious workable (but perhaps not entirely marketable) solution.

The EU itself has uncovered further issues at the bleeding edge of computerised ID technology. Last year plans for biometric visas took a knock when a technical team reported that having multiple contactless chips in the one passport produced a predictably unintelligible noise from competing songsheets. Multipart bodges where the offending chips are housed separately have been proposed, but this doesn't sound like a particularly effective 'next generation' of a single passport document where all of the relevant data, including visas, entry and exit stamps and endorsements, is readily available. So we have another joined up thinking failure here.

Matters are further complicated because of the difficulties the various countries developing biometric passports face in keeping in step (even if they want to). The US is producing its own passports while the EU's effort is at least intended to be interoperable within the EU. But the UK, as a non-Schengen EU state, is engaged in efforts that are at least technically separate from the EU ones. The EU also intends to add fingerprint to the facial biometric (ICAO requires facial, but offers fingerprint as optional). Although the UK is very keen indeed on fingerprinting everybody, it isn't bound to do so by the EU timetable, so one can foresee the possibility that a delayed EU standard passport could emerge with fingerprint from the start, while the UK and the US simply used facial. At least the first generation of UK passport will ship with facial only, but will still miss the US October 2005 deadline.

It's now not clear when (possibly even "if") the UK will add fingerint and iris to the biometric data collected in passport applications. Passport applications were initially seen by the UK Government as a key enrolment route for the ID card scheme, but it has now ended up planning to ship what critics said it could have shipped in the first place - an ICAO-compliant passport with facial biometric (which is actually just a digitised conventional mugshot in this case), and without any spurious linkage to ID card schemes. The price of a passport will nevertheless still rise to ludicrous levels when they do ship - as a Privacy International analysis this week notes, this is something of a puzzle. ®